LINUX- Active Directory Integration
Most of the organisation uses Active directory domain services for user administration and management.Like windows machines, Linux servers also can authenticate and managed via active directory. In this tutorial, we are describing how to join a Linux server in to an active directory domain.
Environment Prerequisites
- Microsoft Windows Active Directory.
- Linux host – RHEL
- Below Packages needed to be installed on Linux host
- Samba (version 3):
- samba3x
- samba3x-client
- samba3x-winbind
- samba3x-common
- And packages that might be needed to meet dependencies
- Kerberos:
- krb5-workstation
- krb5-libs
- And packages that might be needed to meet dependencies
- PAM:
- pam_krb5
- NTP:
——————- advertisements ——————-
———————————————————
Configuration
This section describes the technical configuration of how to add Linux host as member of a Microsoft Windows Active Directory domain.Technical steps are below.
1. Update the FQDN in /etc/hosts
It’s highly recommended to update /etc/hosts with Acive directory FQDN. If something happens to DNS ,system can still resolve out to it.
2. Update the Host name – /etc/sysconfig/network
where “master” is the RHEL host name and “ADserver “is the ADDS (Active directory domain service) Server name.
3. Update the DNS – /etc/resolve.conf
Set the system’s search domain and point to the AD DNS server in /etc/resolv.conf
4. Synchronise the Time – /etc/ntp.conf
Its mandatory to have time synchronization between the domain server and its client. To achieve this, edit the ntp server details in the ntp.conf.
——————- advertisements ——————-
———————————————————-
5. Update the Samba and krb configuration using authconfig-tui
Check if necessary packages are installed and backup the below configuration file
/etc/krb5.conf
/etc/samba/smb.conf
Execute the command authconfig-tui. You will get the below text user interface. Fill in the field as below
Once You checked the necessary fields mentioned above, click on Next
——————- advertisements ——————-
———————————————————-
Update the Kerberos setting as per your environment and click next.
Modify the Samba settings and click Ok.
Verify the configuration
Validate and update the additional information on the Kerberos and samba configuration files
- Verify /etc/krb5.conf
2.Update /etc/samba/smb.conf for ID management
——————- advertisements ——————-
———————————————————-
Join the server to the domain
To join the server in domain, under the specific OU , use the below command
#net ads join createcomputer=Datacenter-FI/Linux_Servers -U <admin id>
Replace the OU names accroding to your environment (Datacenter-Fi/Linux_servers is based on my test environment).You should be having an admin ID created in the AD already to join the computer.
Restart the service
Once joined to the domain , restart the winbind service
#systemctl restart winbind
——————- advertisements ——————-
———————————————————-
Restrict Access only to a specific AD group
To restrict access to the server for a specific AD group is possible via editing the file /etc/security/pam_winbind.conf .
Edit the line require_membership_of and add the SIDs of the group which needs access to this server by comma separated.
Enable the Home directory on first login
# authconfig –enablemkhomedir –update
Verify Your Access
We have completed the AD integration in the server. now test your access with your AD id and password.
eg: login -urid@domain and password – AD password.
Hope this helps you. Please have your queries and suggestions in the comments section below.